IBM, AT&T accused by whistleblower of covering up foreign hacks

International Business Machines Corp. and AT&T Inc.’s computer systems were repeatedly breached by foreign hackers, and the companies concealed those intrusions from the US government in violation of the law, according to a lawsuit from a former IBM cybersecurity official.

William Barlow, IBM’s former vice president of threat intelligence, alleged in the complaint that the companies failed to disclose multiple breaches over years by attackers linked to foreign governments and made false assurances about the security of their systems in order to win and keep federal contracts. 

The whistleblower complaint against IBM and AT&T was filed under seal in 2020 and is still pending before a federal court in New York. It was made public this week, after the US government declined to intervene in the case, and hasn’t been previously reported. 

The suit offers a rare account of alleged security failures at two major government contractors. It raises questions about the protection of sensitive information on the networks, and about companies’ responsibility to disclose such compromises.

The hackers allegedly breached massive IBM cloud computing infrastructure that’s widely used by many parts of the US government, including the military. AT&T operates this “Core Network” on behalf of IBM, and the Dallas-based telecommunications company’s systems are part of them, according to the complaint.

The complaint alleges that foreign and unidentified hackers repeatedly infiltrated the network and that the companies sometimes couldn’t determine who got in, or what was taken. It also says IBM downplayed or concealed incidents before entering government agreements requiring it to certify it had no significant unresolved cybersecurity issues. 

“This complaint was filed six years ago, and the US Department of Justice declined to intervene,” said IBM spokesperson Adam Pratt. “IBM is confident that our actions followed the letter of the law.”

Representatives of AT&T didn’t respond to requests for comment.

Barlow worked at IBM in two stints beginning in 2002, including serving as vice president of threat intelligence from 2017 until his resignation in 2019, according to the lawsuit. He was quoted in a 2018 New York Times report about IBM offering cyber trainings in a mobile command center built in a customized semitrailer truck. Since leaving the Armonk, New York-based company Barlow has maintained a profile in the security industry, attending conferences and giving talks. 

Jason T. Brown, an attorney for Barlow, declined to discuss the circumstances of his client’s resignation or say whether the Justice Department has investigated the allegations in the False Claims Act suit. Government decisions to intervene in such cases often take years and federal officials choosing not to get involved doesn’t indicate the merit of a complaint, Brown said. He added that the allegations implicate billions of dollars of federal business with AT&T and IBM.

“We’re looking forward to aggressively litigating the matter,” said Brown, of the firm Brown, LLC. “You can’t sell cybersecurity to the federal government while allegedly having these security problem within your own company.”

In his suit, Barlow claimed he personally witnessed numerous breaches of IBM’s core network and was pressured by executives to soften internal reports and omit details. Barlow alleged he knew of specific instances where IBM senior management “actively took steps to cover up and conceal” hacks from US regulators and government clients.

“The data breaches are so large and the core networks so poorly designed that neither IBM nor AT&T knows exactly what data was breached, who breached the data, where the data was breached or whether any data was exfiltrated, altered and/or modified in any respect,” the lawsuit alleges. 

Chinese government-backed hackers were allegedly involved in some of the breaches cited in the suit.

In 2018, the US Department of Justice charged two alleged members of a Chinese hacking group that it said had waged a decade-long campaign to steal the data of 100,000 US Navy personnel. In his lawsuit, Barlow said the group, known as APT 10, had carried out that theft by infiltrating IBM’s networks. 

Intelligence agencies told IBM that internet addresses associated with its network were connecting to infrastructure used by APT 10, according to the suit. An internal company investigation found more than 50,000 “potential APT 10 hits” between 2013 and 2016, the suit alleges. The following year, another internal probe allegedly found attackers had accessed nearly 400 compromised accounts and almost 200 total systems and servers in 18 countries, across every business unit, the complaint says.

But because the company didn’t keep access logs, there was nothing further it could do to investigate, according to the suit.

The Chinese Embassy in Washington didn’t respond to a request for comment. 

Officials with the National Security Agency asked Barlow questions about the alleged hacks from China, but he was told to “dodge” them, according to the suit. It doesn’t say who allegedly gave Barlow this instruction. 

Barlow brought his suit in 2020 and it remained secret until it was unsealed Wednesday.  

The False Claims Act bars submitting false claims for payment to the US government. The law allows private whistleblowers to sue for alleged fraud against the government. Federal authorities may step in and effectively take control of such cases. The government can recover as much as three times its damages and whistleblowers can be awarded a portion of those damages.

A federal judge in New York ordered the suit be unsealed this spring after the US government declined to intervene. The court records don’t explain the government’s decision and Brown, Barlow’s attorney, said he didn’t know what motivated it.

The departments of Defense and Justice didn’t respond to emailed questions.

#IBM #ATT #accused #whistleblower #covering #foreign #hacks